41% of cyber-security apps contain high-risk open ...

leroux · ‎05-19-2018

Each year, the Black Duck OnDemand audit services group conducts open source audits on thousands of applications for its customers—primarily in conjunction with merger and acquisition transactions.

This 2018 report is based on data from various sectors such as healthcare, mobile app markets, IoT, big data, and more.

Key Findings:

96% of commercial codebases contain open source components.
78% of codebases had at least one open source bug, compared to 67% last year.
The average number of flaws per database has increased by 134% in this time to 64.
Over 4,800 vulnerabilities were found in open source software last year.
Over 50% of them were high risk, with 17% being highly publicised.
The applications of Internet and software infrastructure had the highest percentage of high risk open source vulnerabilities at 67%, followed by internet and mobile apps at 60%, VR and gaming/ media at 50%, and cybersecurity companies 41%

CEMyers · ‎05-20-2018

In this day and age where knowledge gained by degree has more standing than experience and cut and paste or reuse is more familiar and speeded than an appropriate development practice are you surprised at this? It has always been easier to copy chunks of code from someone else than to develop your own and who cares if it has bugs - someone in the wider community will fix it eventually. This is what happens when you let the children run the playground.

Dain · ‎05-24-2018

@CEMyers wrote:
In this day and age where knowledge gained by degree has more standing than experience and cut and paste or reuse is more familiar and speeded than an appropriate development practice are you surprised at this?

I'd add that there is a marked disconnect between the average Product Development team and the field / consumers of security products.

I've posted on linkedin about Cisco & Palo Alto products previously requiring flash, one of, if not the most vulnerable software products available (open source or otherwise) Add to that the hidden installs that flash has, in the past at any rate, bundled in and its ridiculous all the way around (looking at you Intel/Mcafee - desktop "security" products none the less)

Implemented properly I'd suggest open source is capable of being just as secure as purchased software, possibly more so if the devOps team is applying appropriate tools & controls to the development processes & source code. If devsec is not effective (which seems to often be the case) it seems like a toss up as to general assessment of vulnerabilities & associated risks.

As some of the more recent "headlines" have been malware impacting months old vulnerabilities, it certainly doesn't seem like "security users" are any better (generally) . But I'd agree with anyone saying it would be nice, and we should be expecting, security companies to be better.

/d

Caute_cautim · ‎05-24-2018

What about IoTs, which sneak into homeowners domains, without them even being aware they exist or how to update the firmware let alone that potentially they are turned on all the time.

For example and the list goes on and on:

https://blog.trendmicro.com/trendlabs-security-intelligence/device-vulnerabilities-connected-home-re...

Dain · ‎05-24-2018

do routers really count as IOT? I have a web connected A/C, I love it. Its also on its own SSID with access to nothing else...

Makes a good case for e.g. Meraki, even tho they aren't exactly consumer friendly in their pricing.

41% of cyber-security apps contain high-risk open source vulnerabilities